In case you missed it, on Thursday night, the Wall Street Journal and New York Times published leaked details from the recommendations from the review group on intelligence and communications technologies, a panel President Obama set up in August to review the NSA's activities in response to the Edward Snowden leaks.
The stories described what they said were recommendations in the report as presented in draft form to White House advisors; the final report was due to the White House on Sunday. There were discrepancies in the reporting, which may have signaled the leaks were a public airing of disputes surrounding the review group (both articles noted the results were "still being finalized"). The biggest news item were reports about a recommendation that the director of the NSA (Dirnsa) and Cyber Command positions be split, with a civilian leading the former agency.
Before the final report was even delivered, the White House struck. On Friday, while insisting that the commission report was not yet final, national security council spokesperson Caitlin Hayden announced the White House had already decided the position would not be split. A dual-hatted general would continue to lead both.
By all appearances, the White House moved to pre-empt the results of its own review group to squelch any recommendation that the position be split. The Christian Science Monitor even reported that the final report now recommends that DIRNSA and CyberCom remain unified, suggesting either that the faction that supported that recommendation prevailed on the review, or the review changed its recommendations to accord with the president's decision, announced after receiving initial recommendations to split it.
Consider that by the end of the day Friday, NSA deputy director John "Chris" Inglis, who weeks earlier had been floated as the leader of a civilian-led NSA, retired. (His plan to do so had been reported earlier this year).
Two things are at issue with this jockeying. First, all the evidence about this review group suggested it was a typical Washington DC whitewash. Rather than appointing outsiders, as Obama had promised, the group members – made up of Cass Sunstein, Geoffrey Stone, Peter Swire, Richard Clarke, and led by former acting CIA director Michael Morrell – have close ties to the president and/or the national security community. And the group reported through director of national intelligence James Clapper, whose performance should have been reviewed. No pure technical experts were included on a panel that ought to be assessing technical alternatives.
As the Guardian reported in September, experts who had advised the group came away with the impression that the team wouldn't consider substantive changes. All the evidence suggested this group was designed to stave off change, not recommend it.
Nevertheless, as soon as it did recommend changes, the White House moved quickly to shut down any discussion of that main recommendation. More important is the substance of the rejected recommendation, which will keep the NSA and CyberCommand under the same military general. One of the most alarming reports from the Snowden documents pertains to how NSA has weakened encryption to make both data collection and offensive cyberattacks easier. As the Guardian reported in September, the NSA has covertly worked to make encryption standards weaker. NSA's British partner GCHQ has been working to break the encryption of the top email programs. Ultimately, the NSA is trying to "insert vulnerabilities" into commercial encryption systems.
That means the NSA, to fulfill its data collection and cyber-offensive roles, has been creating holes that cyber-attackers – hackers, thieves, and other countries – can also exploit. Meanwhile, the NSA's domestic collection programs increasingly focus on preventing cyberattackers from exploiting those and other vulnerabilities. That's even one of the biggest successes it touts from the Fisa Amendments Act bulk collection program. The NSA is creating holes. Then it says it needs to collect more and more data domestically to prevent anyone from exploiting those holes.
A different independent review even suggested our cybersecurity continues to fail because our intelligence agencies are so busy building offensive weapons rather than building up our defenses. As a top intelligence venture figure told the New York Times last month:
It is easier and more intellectually interesting to play offense than defense.
Whatever else the dual-hatted Dirnsa and CyberCom position does, it fosters this condition. Not only is the combined position incredibly powerful from a bureaucratic standpoint, but having the same person oversee information collection and cyberattacks puts a premium on those encryption holes that make both collection and attacks easier. As a result, no powerful entity champions cyberdefense, plugging the holes that makes us all less safe.
The Wall Street Journal also reported the review group planned to recommend the NSA move the Information Assurance Group – the entity within NSA that makes code and plugs holes – out of the NSA. And that may improve things somewhat (though the most likely place to move it is Department of Homeland Security, not exactly the most effective bureaucratic agency). Yet that function would still be fighting the bureaucratic weight of a dual-hatted general.
The Obama administration revealed two things on Friday: first, even a whitewash review group proved too disruptive for the White House and the military figures who won in last week's pissing contest. Second, Obama has chosen to continue prioritizing attacks over keeping us safe.